Report: all major download sites serve potentially unwanted programs
Potentially Unwanted Programs (PUP), adware or crapware is terminology for programs offered to you, usually in the form of being included in installers, that have nothing to do functionality-wise with the program you are trying to install.
Software companies and developers include those programs to make money, and while they certainly do so, help spread those programs with the help of the Internet to thousands if not millions of home computer systems.
Not all of these offers are necessarily bad or outright malicious. Popular companies such as Dropbox use these distribution methods to increase the user base. But even those offers may be unwanted and installed, especially since installers use sneaky techniques to confuse users when it comes to making the right choice.
More often than not though, you end up with software on your system that you don't need. In addition to that, it is often the case that core system settings such as the browser's homepage or search provider get altered in the process as well.
For software developers, it is one way of making money. Depending on how the product is offered, it may be the only way for them. There are alternatives, certainly. A pro version could be offered for instance with added functionality or for-business use, support could be offered for a price, or donations could be accepted.
The downside for developers is that they may drive away users in the long run because of these offers. In addition, all developers, even those not including adware with their programs, may be affected by download wrappers offered on popular download sites even though they have nothing to do with them and don't see a single dime of the revenue generated by them.
Reports on the How To Geek website and more recently on Emsisoft suggest that all (Emsisoft all but one) major download sites serve potentially unwanted programs.
Emsisoft for instance analyzed the top 10 downloads of popular download sites including Download.com, Snapfiles, Sourceforge, Soft32, Softpedia and Software Informer and came to the conclusion that on all but one of them applications were bundled with some sort of PUP. On Download.com, this was the case on all 10 programs. Only Sourceforge did not include PUP with applications according to the report.
If you have been to Sourceforge before, you may know that the site is not as clean as Emisoft's report makes it look like. Some downloads on Sourceforge are offered with install wrappers that install PUP software.
They inform you about this in the article but have not included download wrapper offers in the stats. If they would have, the situation would look even more grim on many portals and Sourceforge would not have received a 0% adware rating.
Generally speaking, it is necessary to distinguish between two different offer types:
- Programs that include adware in their own installer.
- Download wrappers offered on some portals that include adware.
In the worst case, users may be exposed to adware in the download wrapper first before they are exposed to a second batch of adware in the program installer.
One cannot really say that one type is worse than the other as they both cause the same damage on user systems but a distinction needs to be made still.
You find clean download links on most sites that offer download wrappers but those are usually not highlighted while the main downloads (with the wrapper) are.
What are software sites that cover the majority of programs supposed to do about software that comes with adware offers? Not review and offer them for download? What if it is a major program? This could reflect badly on the portal.
It could however also help marginalize the adware distributed business model on the Internet and convince some developers to offer clean installers without adware offers.
There is certainly space in this world for a software site that blocks any program with adware from being listed on it but it would have to block several popular programs in the process. That's not necessarily a bad thing though as there are usually alternatives available that can be offered instead.
Some programs are offered in multiple versions, some with adware others without, and it would be possible to host those without adware on the site but there are other programs that come only with adware.
In the end, software sites have the choice. They can increase the site's revenue by using download wrappers and alienate users in the process, and select to host software programs with PUP bundled or not.
What you can do
- Whenever possible, don't download from major download sites such as Download.com, Softonic, Sourceforge or Tucows.
- If you have the choice between an installer and a portable version, pick the portable version as it won't include adware offers.
- Some sites offer clean programs only. You can try Ninite or Portable Apps for a selection of popular downloads
- If you ever come upon a site that is serving you adware in one form or the other, boycott it from that moment on and (optional) let others know about it.
We’ve covered many points in the comments of the previous article about Filehippo bundling adware, but it bears repeating several of them here:
1. Always go to the developer’s website – the additional time taken is worth it, and it’s a great way to learn a thing or two about the software or developer in the process.
2. Read the download button – the Emsisoft report includes several screenshots of websites which mark which download link contains bundles and which is clean. This is common sense for people used to downloading in the pre-adblock era, but nowadays it’s easy for “mash the big button” to be a reflex action.
3. It should generally be possible to tell the clean installer by filename and filesize, if offered side-by-side with the bundle installer. Look for sources that offer this information.
4. Always treat the installer as hostile, even if the software is known to be benign. Even using the advanced/custom install button you still have to read everything. Emsisoft says scan the installer first, which many good antivirus programs will do. I usually go the safest route and go for the installer-less portable download that only requires extracting an archive.
Try Unchecky: http://unchecky.com/. It significantly reduces automatic installation check box checking. It’s from RaMMicHaeL, the author of 7+ Taskbar Tweaker (which BTW works just fine on Win 8/8.1): http://rammichael.com/
From what I noticed, these additional “offers” are sometimes injected when installer gets access to the Internet – if your firewall will block attempt th it won’t show additional screens with shitware.
I’ve recently tried IObit Start Menu 8 on my Windows 7 and since I knew they’re rather fishy, I’ve granted installer access to the Internet and it show me some browsers add-ons along with search engine change (to Yahoo’s), upon finishing installing another piece of their “software” was added – Advanced SystemCare so I had to uncheck. And for the topping: on the launch UninstallPromote was shown as installed (which wasn’t – it was a link pointing to the another installer) when I’ve opened replaced Start menu.
As for sourceforge, I haven’t had any troubles with downloading any programs from their hub – perhaps Adblock is working and keeps me away from any troubles.
my choice for clean Downloads >DDownloads
Just want to echo kktkkr’s first point, which i think is the most important take home lesson that everyone should adopt:
“1. Always go to the developer’s website – the additional time taken is worth it, and it’s a great way to learn a thing or two about the software or developer in the process.”
That simple step is the best thing you can do.
And to elaborate on his point about “it’s a great way to learn a thing or two about the software or developer in the process” — it will give you some idea, positive or negative, about the developer of the program — are they still around? is their domain gone? is there a support forum? Is there a more recent version of the program? etc.
If there is one rule to follow it’s this one. If you find a program you are interested in — go find the original developer website and get it from there.
Even not. I recently wanted to download the portable version of FilemenuTools, and of course I went to the developer’s site first (Lopesoft). Even that portable version at their own site now appears to be wrapped in an installer in stead of the usual archive… Even one that Uniextract could not manage to open….
I finally found a direct download link at ComputerBild.de , that seemingly gave me the tool without junk as one would expect, but at the end of the process I saw some unusual words flashing, like ‘additional files’ and ‘download manager’, and Superantispyware simultaneously popped up a trojan alert.
So much for what I learned about the developer , and for the state of interhuman relations in that whole degenerated computer ‘buziness’.
I already drastically stopped paying any money for software quite some time ago. Next step : completely stop computing.
I use Filehippo’s Update Checker. In the settings I always block all versions of their “Update Manager”. It is a wrapper.
Educating yourself and knowing how to avoid these pitfalls is the only way to go.
That said, people who live in glass houses must not throw stones. Bundling adware is as much a way of making money as you hosting ads on your site. Just to see, I clicked on an ad on your site that this is where it took me: http://free.snapmyscreen.com/index.jhtml?&partner=^BPR^xdm011 What do you have to say in your defence?
Since this site is a one-man show, I have no control over the ads displayed here. I can try and get some banned if they are reported but that’s all I can do right now. I want to get away from ads using Patreon and user support in general but that is going to take time and depends largely on user support. Once this site becomes self-sufficient in another way, I remove ads.
Same way Softpedia and MajorGeeks have no control over programs which bundle adware but at least they warn you. Yes, it’s a laudable objective to want to get away from using ads but in the meantime you are still hosting them.
There is a difference between hosting programs that contain adware and advertisement linking to pages where software is offered that may be unwanted.
Still, I get your point and I’m in no way condemning software sites that just host these programs but don’t use download wrappers.
Recently had an incident with DOWNLOAD.COM and a program called IZARC, I had used IZARC for years no problem.
Tried to download from CNET/download.com . AVAST blocked the install saying their was a bad adware program trying to install.
AVAST reported a program called “FileRepMetagen (Adw)” was trying to load, and BLOCKED it.
I contacted Download.com and they did investigate, and replied that they had taken down the download from their site. They still showed it abut put in a note to clarify the situation. Their policy is to allow download PROVIDED the company fully discloses the additional software and allows an OPT-OUT. (PUP) Those companies that don’t follow the rules get effectively taken down.
“at this time, we do not actually host the download for IzArc (because of the issues we discovered with their own offers not providing the required opt-out method). If you look at the product page now, you will see that the download link has been removed, and a note added that the page is presented for information only:”
Please also note I went to the IZARC main page and the download did NOT work either. ( file corrupted)
I deleted the program, and found a new one. I also went through ” regedit” to remove all traces of IZARC, and there were over 100 instances left in the registry. ( not impressed.)
We are to the stage where you have to be VERY careful with ANY downloads, even those from the source/developer.
I love Ninite, but I also recently discovered Chocolatey
It’s like apt-get for Windows. It’s an easy install and easy to find and grab from among thousands of clean apps.
Are there any downsides to installing portable versions of software on a computer?
Functionality-wise no, not really. There are some side-effects though. Programs like CCleaner don’t detect portable versions by default which means you may have to add some custom rules to those programs. There is also no start menu, desktop or taskbar shortcut but that is easily added if you require it.
I think it is important to precise these things here :
– really portable programs typically do not interfere with the registry, nor with the appdata area. That is a even a great advantage over installed ones as fooling around there destabilises your system. For that reason I prefer portable programs over installed ones wherever possible, like many people do. But it all depends on the program and what you expect it to be able to do. E.g. with media players, you will be missing context menu items like ‘play this folder in…’ as that needs registry items. If you can live with that, no problem. There are a few programs that give you the option of installing just such registry items if you want.
– there are also people that don’t mind calling things ‘portable’ that are not portable at all. Like the Firefox from PortableApps. It operates just like an installed one, with hundreds of registry items. What makes them call it ‘portable’ is that it theoretically removes those registry items when you close your session, and thus leave no traces. Theoretically, as I experienced that it had not done so… , so in such cases you are far better off with a once installed one rather than one that irresponsibly keeps messing around in your registry again and again.
There are also such fake portable things that do dump files in the appdata area, which might, depending on the case, cause a security risk if you use it on a public system…
Nice informative article;thanks for comments and suggestions.
An easy way to avoid PUP installers is to use the AntiAdware user script!
Here, let me finish that post for you, since you provided no explanation or links:
Works in Greasmonkey for Firefox, and Tampermonkey for Chrome
All sites including author sites have the potential to include PUP’s… how we choose to deal with them is entirely up to us. I use Malwarebyte’s Anti-Malware Premium edition (MAM), so I don’t know if the freebie version does the same thing, but when installing programs from unknown sources during the installation process, MAM intercepts installation of known malware/ spyware/ junkware and quarantines them.
So it is rare I get plagued with these deceptions. Even if I unchecked all the options to not include their offers and suggestions, many have aggressive measures where they will attempt to install the programs anyways regardless of what you checked and unchecked. MAM does a good job at actively blocking installation PUP’s, and site visit PUP’s… Often my Norton’s Internet Security will beat MAM to the punch and block or quarantine stuff as well, so I’m pretty protected.
“I don’t know if the freebie version does the same thing,”
It doesn’t. The free version will only clean existing infections. The pay version is required for active monitoring and prevention.
Those who fear getting stung in this way or have friends and relatives that just blindly click without reading when installing stuff leaving you to pick up the pieces, might want to check out a program called ‘Unchecky’ which ‘does what it says on the tin’ by automatically un-checking those tick boxes that can land you with a PUP, you can get it here: http://unchecky.com. I don’t use it myself since I am wise to this racket by now and always choose the custom install option or where applicable run the program as a portable application.
There is one secure download location, which is Softpedia- it always warns the user whether a program tries to install tool-bar or other kinds of malware. Softpedia is by far the best download site and it has the biggest collection. Some months ago Softpedia interface was ruined but is still as secure as it has ever been.
In stead of downloading directly from SourceForge site one can use a FTP client and download from the many SourceForge FTP mirrors.
+1 for Chocolatey – https://chocolatey.org
I click the Show file source link on each product’s package page to reveal it’s direct download download link and the silent install arguments.
For example, the latest version of the Java Runtime: https://chocolatey.org/packages/javaruntime
Click Show Source, reveals the direct link to: http://javadl.sun.com/webapps/download/AutoDL?BundleId=101467
and silent install parameters: /s REBOOT=Suppress SPONSORS=0
Therefore, after downloading, the clean install command is: jre-7u67-windows-i586.exe /s REBOOT=Suppress SPONSORS=0
The latest version of Adobe Reader: https://chocolatey.org/packages/adobereader
Shows the source: http://ardownload.adobe.com/pub/adobe/reader/win/11.x/11.0.10/en_US/AdbeRdr11010_en_US.exe
and the silent install parameters: /sAll /msi /norestart /quiet ALLUSERS=1 EULA_ACCEPT=YES
Therefore, after downloading, the clean install command is: AdbeRdr11010_en_US.exe /sAll /msi /norestart /quiet ALLUSERS=1 EULA_ACCEPT=YES
Couple of days ago I tried to infect a virtual machine with some PUP and maybe viruses for an experiment. Started googling with all kinds of “download something” queries, downloading and installing software (about 10 pieces). And… no Conduit serch protect or other adware, no unwanted browser extensions beign installed.
So, when you want to get some PUP you can’t :) , when you don’t they come to your pc.
What an excellent reason to torrent full programs. There ARE trusted torrent sites and torrent makers, where you stand a fairly low chance of getting unwanted software (especially with some basic malware and viral scanning). On top of that you get superior software, and don’t contribute to the livelyhood of IP whores or bloatware scammers.
Fuck the police.